The Forever Cookie: New Tracking Technologies Continue To Threaten Privacy

In March of 2005, ad technology company United Virtualities boasted that it could track Web users through a "pie," or persistent identification element," that would remain on people's computers even if they deleted their cookies.

At the time, the company bragged that the pie -- a Flash cookie, also known as a local shared object, which is stored in a different place in the browser than an HTTP cookie -- wouldn't be deleted from any then-available anti-adware or spyware-removal program.

Fast-forward to the present: Dozens of companies are facing potential class-action lawsuits for allegedly circumventing people's privacy choices by using Flash to create erased HTTP cookies. Federal Trade Commission officials are blasting companies for bypassing users' settings. Congress is probing Web companies' online tracking methods -- including, specifically, the use of Flash.



But even as lawmakers and other officials investigate the 5-year-old pie, new tracking technology is emerging that could prove even more controversial.

Among the latest is programmer Samy Kamkar's evercookie, created to demonstrate just how easily a company can track people regardless of their preferences. "Simply think of it as cookies that just won't go away," he writes in a post explaining the tool. "If the user deletes their standard HTTP cookies, LSO (local shared objects) data, and all HTML5 storage, the PNG cookie and history cookies will still exist. Once either of those are discovered, all of the others will come back (assuming the browser supports them)."

Kamkar himself makes it clear that he's no fan of this type of forced tracking; he tells The New York Times: "I should also be able to opt out because it is my computer." Still, if Kamkar thought of it, probably others did too. If not, they certainly know about it now.

But that's only one possible new tracking technology. Consider, the Electronic Frontier Foundation recently said that the vast majority of Web users' browsers are unique and trackable. In other words, even if users erase their cookies, they can be tracked based on the characteristics of their browsers -- without their consent.

Currently no law requires companies to allow users to opt out of tracking, which means that evercookie is legal in the U.S., as are browser-based identifications. But don't expect five more years to pass before policymakers tackle the subject. Congress and the FTC are far more attuned to online privacy now than in 2005, when Flash cookies were first proposed as tracking mechanisms. What's more, the plaintiffs' bar has taken an interest in online privacy in the last two years, suing companies ranging from Google to Amazon to NebuAd for alleged privacy violations.

Still, whether companies will be less eager to deploy evercookie (or other similarly hard-to-control tracking mechanisms) than older forms of tracking remains to be seen.

6 comments about "The Forever Cookie: New Tracking Technologies Continue To Threaten Privacy ".
Check to receive email when comments are posted.
  1. Ari Rosenberg from Performance Pricing Holdings, LLC, October 11, 2010 at 8:33 p.m.

    Wendy, great job uncovering the dark/slimy side of our business -- this is disgusting.


  2. Donna Smith from Mediacom, October 11, 2010 at 10:02 p.m.

    Oh get a life. So what if cookies are tracking my clicks - I'd rather receive relevant information than general crap. Ari baby - what do you have to hide?

  3. Stephen Shearin from ionBurst Media, October 12, 2010 at 11:26 a.m.

    I'm all for cookies and tracking. It's the world I live in, and apparently everyone else too, whether they know it or not. With that said (looking @Donna Smith), it's the lack of transparency and self-regulation that should be concerning.

    If your visit to your (sensitive_location)is logged daily, it's much easier to ride along with you tomorrow and steal your info (acct names, numbers, locations, etc). Or your online identity in general. The companies tracking are not necessarily doing this, but neither are they taking steps to prevent less scrupulous agents from utilizing advances in technology to their ends. Tracking/targeting - good. Unauthorized use of information for deleterious purposes - not good.

  4. The digital Hobo from, October 12, 2010 at 3:33 p.m.

    Been waiting for someone to bring up United Virtualities. Its not like this is a new phenomenon.

    Stephen is right. The problem isn't the cookie. The problem is the lack of transparency and the "bad people doing bad things" with technology.

    But are we really going to defend our business with "Guns don't kill people, people kill people" as our defense?

    We're a smart bunch. Certainly we can do a little better.

  5. Paula Lynn from Who Else Unlimited, October 12, 2010 at 6:02 p.m.

    Most people's info is unimportant to most people except the advertisers/marketers. But it only takes one rotten apple.....

  6. Joe Malley from law offices of joseph malley, October 17, 2010 at 12:15 a.m.


    It's not foreever cookies, or ever cookies, its: 4evercookies, as opposed to; ZOMBIE DATBASES.

    joe malley

Next story loading loading..